The server will use AWS.
The infrastructure configuration that we are considering in the future will be as follows.
The location of the "management screen" is missing now.
With the assumption that the service built with Laravel can be put on the place where it is made public on the "Web page", I was thinking easily to install the management screen on another EC2 instance.
The reason is that it was not recommended in terms of security when receiving a free consultation from AWS to place a management screen in the Web service, and it is visually recognized that the public side and the management side are separated after hearing the story Because I thought it was high. .
However, in this case, even if the same DB is viewed when creating the management screen with Laravel, I feel that it will not be possible to maintain consistency unless it matches the Laravel on the public side, such as the model, and it will be double management and operation I feel serious.
Is it better to create a management screen in one application?
Can you give us some opinions on whether there is a good way to maintain consistency by putting the management screen on another server?
I have been doing programming for a long time, but it would be helpful if I could give advice at the level where I started studying around the infrastructure.
By the way, the development environment is also used for studying, and we are building a separate EC2 instance and building it without using ELB.
Thanks for your cooperation.
Answer # 1
What are you trying to manage on the management screen?
If you look at the same DB, I don't think so much, but what does the integrity you care about specifically mean?
If it is consistent in DB migration, I think that there is no problem if the source that moves when accessed by the user is placed on the WEB server and the method for DB migration can be managed properly.
I agree and should separate the management screen from the web server.
Answer # 2
>Even if you look at the DB, I feel that it is not possible to maintain consistency unless it matches the Laravel on the public side such as the model, and I feel that the operation becomes difficult because it becomes double management Doing.
For this, you should use the deployment tool and take measures such as enabling or disabling management functions in the environment.
Can you give us your opinion on whether there is a good way to maintain consistency by putting the management screen on another server?
I think you should use a deployment tool. (It would be eb for AWS, but if you don't use EB, I don't feel the benefits of AWS.)
Answer # 3
It feels more like app design than infrastructure.
Several application-like solutions have already come out.
Turn all EC2 to the private subnet, and if EC2 Internet connection is required, set NAT gateway, NAT instance, or Proxy that also serves as Bastion to the public subnet.
With ALB as the front, access to the front web and management screen is separated by L7 by routing the target group.
For example, if you want to route all/admin access to the management instance, route to the management instance with the/admin condition and use the same routing condition to the sorry page of the S3 static page for when the management instance is down. But with Redirect, all the remaining accesses are routed to the Web side.
Turn EC2 to the private subnet to prevent access from being written directly to hosts.
I think that it can be separated into an instance for the management screen and an instance for the front web with a single application. Even if there is a management screen function on the Web instance side, access does not occur.
Depending on the conditions set for the target group, it will work even if they are mixed, but in terms of security, it will decrease somewhat.
Since it can be shared with EFS, it will be easy to prepare AutoScaling.
For ssh, if you have a Bastion or NAT instance, go there, and if you have a NAT gateway, do it per Client VPN.
- aws - about the mechanism of ssh authentication of aws
- aws - about rds public accessibility
- aws - about aws monthly charges
- aws - about vpc uptime
- aws - about incurring charges in the aws free usage frame
- aws - about aws cloudformation coding
- aws - about the key pair name when creating an instance of aws (i'm not in trouble, but i'm curious)
- aws - about proper use of fargate and ec2 of aws ecs
- aws - about rails app ci to aws
- aws - about aws account id
- aws - [laravel] google login function stopped working after deploying to aws
- aws - what is the approval of a direct call to an aws service?
- aws - mixed content says "this site is not protected"
- aws - how to learn knowledge around deployment
- aws - i want to return the api callback before processing
- aws - i tried deploying the laravel 6 + vue app on aws elastic beanstalk, but it got permission denied
- aws - what to do when a request containing a "cache-control: max-age = 0" header is received on an api gateway that ha
- aws - regarding the limit of athena query
- aws - automation of form output from data mart on aws
- aws - react server does not start
- ruby - i started the server in rails s but can't open it
- mysql - the site published on aws sometimes goes down and i am in trouble
- i don't understand the need for a web server such as nginx when deploying ruby on rails applications on ec2
- aws - i made ssl with acm + elb of aws, but i could not access the site
- sql server - what is "$ip" and "$port" in "php artisan serve --host=$ip --port=$port"?
- aws - can a static site hosting service handle a large number of articles?
- php - the order of products on the app changes
- amazon ec2 - about wordpress server via aws bastion server
- aws - how to operate as a pseudo internal server on aws
- aws - cpu usage suddenly rises and ssh connection is not possible